10 worst-case BYOD scenarios (and how to prevent them)

When it comes to BYOD, the best defense is a good offense. These proactive strategies will help you anticipate and avoid potential problems.

Bring Your Own Device has stirred plenty of controversy. Companies are either embracing it to its fullest extent or avoiding it like the plague. BYOD can potentially save you money and help make your employees happier and more productive. But it also brings along with it a number of possible pitfalls, from security to compatibility and everything in between. For the most part, those pitfalls can be avoided with just a little planning and education. "No way," you say? Let's look at some likely worst-case scenarios and see how you can prevent them from occurring.

1: Exposed data

Exposing sensitive company data is always a fear -- BYOD or not. But employees bringing in their own devices adds an extra layer to that fear sandwich. People lose smartphones and tablets. These devices also get stolen frequently. When that happens, your data can easily fall into the wrong hands. Avoid this by adopting a secure wipe policy, so that when a device is lost or stolen, company data is removed remotely. This type of policy should be set in place immediately.

2: Passwords in the wild

Your employees could be carrying with them the keys to a number of kingdoms. These passwords can either be stored in applications (logon information) or stored on the device memory. You must have a policy in place stating that no company password is to be saved in the cache of any application on the device. Another policy should state that if employees need to retain company passwords (or even information) on their device, the information/passwords must be saved within an application that can be securely encrypted.

3: Declining productivity

What happens when your employees take advantage of the BYOD plan and spend most of their time on social networking sites, snap chatting with friends, or worse? Because many of those devices will have carrier networks, employees will most likely know they can get away with usage outside of company policy. To avoid this, establish a company policy that requires users to agree that when a device is being used within the company, it will be on the company wireless network. If those employees know they must use the wireless network, they will be less inclined to spend as much time on social networking sites -- or doing anything counterproductive.

4: Compatibility issues

With BYOD comes a deluge of possible devices and platforms. You could go to work one day and all of a sudden be looking at the prospect of supporting Android, IOS, OS X, Blackberry, Linux, Windows 8... and although the list may not seem huge, the hurdles could be. Instead of allowing any platform, you could do one of two things: Limit the platforms allowed or make it clear you will support only company-approved platforms and that for all other platform users will be on their own.

5: Bandwidth overuse

So many companies already stutter on their network. Most assume they can get by with the bare minimum -- a gross mistake. One of the beauties of BYOD is that your end users will be more prone to work outside the office (thereby using their carrier network or their own wireless); when in the office, they will be using both their desktop and their device. With the added stress on your network, you'll want to make sure you have a big enough pipe to handle the extra usage. Though most businesses are already prepared for this, some smaller businesses might be attempting to run on a standard DSL. This will not do.

6: Device management

Many are already asking the question of how to manage the devices. With various devices, on various carriers, you can't exactly set them up on a management console to better control how those machines are used. What you can do is set up a network access control (NAC) like PacketFence, and control each device via MAC address. Yes, this will require you to set up a process where end users allow you to record the MAC address of their devices. But it will go a long way toward managing those devices and how each device uses your network resources.

7: Wireless bottlenecks

With all of those extra devices coming into the company, all of them depending upon wireless networking, you are going to have to make sure your wireless is up to snuff. You won't be able to depend upon a consumer-grade wireless router. Not only will that router possibly choke on the bandwidth usage, it might not handle the level of security you need. Before you open this floodgate, purchase wireless equipment that won't bottleneck and won't open up a vast array of security holes.

8: Autonomy overuse

When you allow BYOD you are, effectively, telling your end users that you trust them enough to grant them a higher level of autonomy. This, of course, can be abused. The last thing you want is a handful of users who think they are an island and, thus, above the rule of the company. Though you are allowing BYOD, you must still make sure they understand that this does not give them free rein to break the rules and do as they please. If you have to, make employees sign a contract confirming that they understand the limits of the freedoms they've been given.

9: Virus infections

Most mobile platforms are not as susceptible to viruses as their desktop counterparts are. But that doesn't mean they can't pass along infected files. Because of this, end users need to understand they must employ an antivirus solution on any machine (or device) that passes files on to end users. Any antivirus must be approved by the company and regularly maintained and updated.

10: Compatibility complaints

You're going to face a wash of raging users complaining that the applications they have on their devices can't open files necessary for work. You'll need to make it clear that they simply have to purchase/install applications that can open company-supported file formats. One of the best office suites for this is Kingsoft Office. That will cover Microsoft Office and LibreOffice. Also make sure users have an alternative browser (like Firefox), in case their default browser is unable to handle web-based applications your company relies upon. In the end, there still may be issues they can't overcome with those devices. When that happens, there are always tools like Logmein (to gain access to their desktop) or even RDP clients.

Bring Your Own Drama

It's coming to an IT department near you. When it does, be prepared for anything and everything. You're dealing with the teen years of mobile devices and you're going to have to have tricks up your sleeve you never thought you'd need. But if you're prepared, and if you've prepared your users, that drama will hardly get the chance to rear its ugly head.

About Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website getjackd.net.

Full Bio

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website getjackd.net.

These days, I really could not be bothered starting in a new working environment wanting to BYOD, except for a high-quality keyboard and mouse combination. Why do I want to stuff around with a phone or tablet when there's a PC sitting in front of me?

If I won't use facebook or ebay on my phone, why would I want to use a word processor, spreadsheet or even a site such as this one?

BYOD has lots of challenges, and I agree that security and especially data security, are the main challenge for most organization and BYOD; but there are many solutions out there such as MDM and other large management systems. I think one of the more interesting ones is that companies are writing thier own data security apps that use API's like Tigertext's SOX/HIPAA compliant texting TigerConnect API, or the Dropbox API, that run on multiple device and OSes. The benefit is that these apps are easy to deploy and easy to use, and I think you will see more companies using this stratagy to deal with BYOD.

I currently support BYOD at work and as much as I dislike it I don't have a choice. The owner decided that he wanted users to be able to bring in their own hardware and we needed to support it. It's a royal pain and I'm constantly having to fix peoples' personal systems. It's almost like I'm working in repair shop instead of a corporation. There are way too many security issues that this type of thing brings up. Unfortunately for all of us, the more business owners decide they want to save money the worse our security and many other things will get.

...providing your employees with the equipment and software they need to do their jobs.
And if BYOD is OK, then the reverse should also be OK. Let your employees use their company-provided devices for home use when they aren't at work. That would do much more for employee morale than expecting your employees to buy their own devices to use at work.
I think the only employees who are enthusiastic about BYOD are the tech-heads, and management who can afford it.

Another legal issue that I have not seen anyone address is the software licensing issue. Best advice is to work with a Software Asset Management expert from your company when drafting the BYOD guidelines to understand what, if any, liabilities you will be incurring for these devices. Depending on the software licesning contracts that you have in place, each additional device may need their own licensing as well.

I am a student in IT now and am a fan of the no BYOD camp. I feel that you should have the device that your company provides for work as it is a "clean" machine and you don't have any need to put family pictures or other personal things on it. If you do so you know that you will lose them.

"..establish a company policy that requires users to agree that when a device is being used within the company, it will be on the company wireless network"
Good luck legally enforcing that, your cell phone will always be on to get emergency calls from your kids,etc. Since eifi doesn't do cell calls no way to enforce that. And if someone doesn't adhere to the policy how would you know without violating their rihts not to metion getting into trouble with the FCC.
"...spend most of their time on social networking sites, snap chatting with friends, or worse"
This is the Borg mentality and is a bigger threat to productivity than anything the employees would do.

BYOD is not happening here and I can't see it ever happening. A lot of places have data they don't want others to see but what if that data is also on a government control list of some sort?
Check with your regulator, if in a regulated industry, and see what you can or cannot do (like having a wireless network, BYOD, etc.)

The majority of these scenarios were arguments against BYOD when it was proposed in the first place.
And the main argument for it was "gee we're going to save money"
SO, what did everyone do? force IT to deploy it as if it was going to magically work.
In the old days there used to be a saying that went "Every Design Flaw happens at least three times in computing: once in Mainframes, Once in Minis (what servers pass for nowadays) and at least once in Micros (PCs)".
Now we know why this happens.

If you are smart you give those devices access to an isolated wireless network that just gives the devices access to the internet and not to "The System". Have a policy that allows these devices to check e-mail but not store them for more than a week. If you want to go through the bother you can restrict all access by unknown devices so you can make sure those devices are compliant.
But none of these can take the place of proper education. If you are not willing to teach explain and train your employees on the "Best Practices" then you have earned all the headaches you get.

Additional "bandwidth" (i.e. additional data) for BYOD devices? I think not as, if a user is using their own device, they are not using the company device so increased data demand on an own device should be matched by a decreased data demand on a company device.
Personally I wouldn't want the responsibility of using my own device for company work so I'm quite happy with a "no BYOD" rule.

1. To remotely remove to be effective you need to activate it remotely. If soemone has deliberately target a device from your company, the worse case scenario, they are goign to immediately deactivate the connection capability to stop that happening; easiest being to remove the SIM card. Sorry, the data is definitely stolen as there is ALWAYS a delay of several minutes to a few days, usually an hour or so, while they try to find where they left it, before anyone in management gets told and action is started. - - In short, remote removal is only useful against someone who wants only the device and is going to wipe the data anyway.
2. Many of theses consumer level devices do NOT have the capability to handle a decent password protection program, so that is a big issue on some. Add in more and more of the device makers are now using systems to lock you into only the software they approve and you suddenly have many more issues.
3. The social networking, heck, the main reason to allow the use of a BYOD is for use when away from the office, so it won't be on the corporate network anyway. Also, there is no guarrantee they will only use the corporate network when in house, and you assume the company has or wants a corporate wireless network in house; many don't for security reasons.
4. The cost of the usage of these things when you get outside the USA is horrendous as the rest of the world charges by the MB of all traffic. Once you take that into account, it is often cheaper to provide a corporate notebook with all suitable data stored on it.
5. Any policy that says device A is OK, but Device B is not is going to get complaints and challenges abouot discrimination - have fun with the meetings with managers over this one.

[QUOTE]To avoid this, establish a company policy that requires users to agree that when a device is being used within the company, it will be on the company wireless network.[/QUOTE]
How the blazes are we supposed to enforce this? Have them remove the SIM card of their device whenever we enter the office? A Star Trek type dampening field?

Seriously Jack, if you're going to BYOD then it has to be ALL devices, not a subset. Either you have full-bore BYOD or not at all. Imagine telling Sally in HR that her iPhone is not OK, but Bob's Samsung across the cube wall is OK with his. Yeah, that will work out just great.

It sounds great for the company to avoid excess cost for the electronic devices, but it exposes the company to a host of other problems as mentioned above. Now Frederick county in Maryland is going to do the same thing in letting kids BYOD. The upside will be a great aid in education, but the downside is a host of malware and viruses to the school system that will be brought in by the kids as they surf and collect these issues from questionable sites. OK so now the cost savings the school thought they would have will be ate up in robust scanners and protection software as well as equipment downtime due to invasions into the school system. It is a good idea in a perfect society but not in school with kids!

This is where Application and Desktop Virtualization Solutions from companies like Citrix come into play. They resolve/reduce most of the listed problems. Granted, this is not a solution for really small companies. Though VDI in a Box looks to be leaning that way now with pricing and features.

Do not allow any BYOD unto your network. PERIOD. This has been the biggest thorn in my side since 1983. Users will hide things from you and stash their notebook, netbook, laptop, even cameras(real big NO-NO) and recorders when you are summoned to a virus infected machine. Users have brought porn and home movies that were infected and streamed them to other users on other networks. A lot of this should also apply to mrdia too. CD/DVD, jump drives have become the newest way to bypass security. One user even brought in an external USB drive and shutdown a research network resulting in $2M damages and lost data.

your job. Very few people actually NEED a mobile device to do their job properly and most companies have always been very good at supply corporate hardware when they do REALLY NEED a mobile device for their job. The problem comes from people who only THINK they need a mobile device to do their job.
A case in point, I know of a person who is arguing with their management to be allowed to check their company mail on their smartphone as that allows them to do that anywhere. The corporate policy is you can only check mail on company equipment that's been issued to you and has the appropriate software and security measure. It's the same policy for dealing with ALL corporate data.
Now the real point here is that the person spend less than 10% of his time out of the office, and those are for important client meetings where he should NOT be disturb while with the client, so they don't even let him take a cell phone to those meetings. He also spends about 25% of his time in other offices within the corporate HQ. He claims to want to have the access to allow him to check mail while elsewhere in the building. But guess what! If he's anywhere within the building he can log onto any machine and check his mail. The only time he can't is when he's in a meeting where he's supposed to be paying attention to the meeting and not his mail. His situation is typical of all but a few marketting staff, which is why the corporate policy is NO BYOD and very hard on other mobile devices.
In another case I know of a senior manager at a company that allows BYOD had a very important meeting with thirty of his top staff. The email about the meeting had the agenda and the note that no mobile devices were to be at the meeting unless they were corporate issued ones with a level 2 security set up. At some point during the meeting over twenty staff complained about being unable to check their mail on their mobile device. The organisor noted who complained and said nothing. What most had failed to recognise was the meeting was in their high-security meeting room which was TEMPEST approved; in effect they were sitting inn earth wirecage that blocked ALL radio transmission signals in or out. All the staff who complained were later personally counselled about the lack of quality in their attnetion to company security needs.
In short, if there is a REAL need for a mobile device, most will be issued one by the company; however company management are getting fed up with people pushing for a mobile device when there is no REAL need, ad some of those with a real need object to the company provided device; thus the move to push for BYOD to eliminate these complaints.

And the classic example of that was shown a few eyars back when a major shipment of some contaminated petrol was delivered to a certain fuel depot. This was found out after the fact. What brought it to light was a huge number of calls for cars broken down on the side of the road.
It seems the older people were able to open the bonnet, look inside, and realise that the fuel filter is supposed to look like it's full of fuel, not water and dirt. Seeing this they disconnected the hoses and used a back blow technique on the filters to clear the majority of the junk out - simply put, they put their mouth to the out-line side and blew the water and crap out the in-line side.
Almost none onf the under 30 group could work out this problem, and only a few of those that did work it out were prepared to fix the issue themselves as such action was beneath them.
In short, most of the younger generation today are much more competent in the use of what they have, but less competent in looking after the gear or understanding how it works.

...have different data, different threats, and different levels of acceptable risk. Smaller companies are generally much more risk accepting that a large established one.
An example where BYOD would pretty much be a necessity: When I first started in IT, I worked in a real estate office. Each Realtor was their own independent contractor and could use any PC or mobile device they feel will help them earn a commission. All we did was provide the infrastructure and support services. It may have changed over the years, but at the time the agents were in complete control of their own destiny and security - we couldn't enforce password complexity, data backups, or anything else on systems outside of the central infrastructure. Each agent was their own workgroup and not joined to a domain.
In that situation, trying to enforce "no BYOD" would have killed agent productivity, caused animosity, and probably resulted in a few departures for competitors.
As a student, you're likely familiar with another situation where BYOD is firmly entrenched: education. In the case of universities, the policy is typically not to forbid students/faculty from connecting to the network with whatever device they want, but rather limit what is available on the network for them to reach. Instead of putting the primary security barrier at "can you connect to the network" it is moved back to "can you connect to this resource."
Also, try to tell an executive why he has to carry two phones: one for personal data and one for business. It just isn't going to happen.

Jack's "establish a company policy..." line isn't worth arguing about. Even if you could get management and employees to sign off on such a thing, there's no technical means available to enforce it.
But there is a bigger legal issue nobody has brought up yet: Who are the employees we're allowing to have BYOD? Are they expected to check mail/custom apps/etc during their "off time?" Even if they aren't specifically required to do so, is there pressure for them to monitor/respond to off-hours items? Are they being compensated for that?
Unless you've consulted with legal/HR and know exactly how you're going to deal with legally required compensation for after-hours work/on-call status, I'd strongly suggest no after-hours access for any FLSA "non-exempt" employees. That includes BYOD, issuing them laptops, allowing after-hours email access, etc. See www.flsa.gov/coverage.html for guidance. Googling "non-exempt employee byod" turns up a few good links on the subject, too.

If it is stored on or accessed through a mobile device, it is going to be lost/stolen/compromised. Eventually, it is going to happen. Management needs to be prepared for that eventuality and I'd pound that fact into their heads before they decide what can be accessed/synced to a BYOD... or even a corporate-owned mobile device.
MDM solutions are just what they claim: mobile DEVICE management. But if we lose a device, so what? That can be easily replaced. What we really care about is the DATA on the device. And that is weakly protected for the reasons Deadly Earnest mentions above: weak passwords, trivial ability to block remote wipes, etc.

Are you suggesting that the original iPhone 1 should be supported? How about Kindle? Nook? There has to be a cutoff somewhere or you're left supporting a Windows '98 box.
That said, I am not a fan of BYOD just for the security management aspect.

Somebody mark down this date in history: I've finally agreed with something Jack has said. Limited BYOD does work if a list of supported devices is communicated to employees BEFORE you start allowing them on the network. If you've told your users you will support X and Y, and they still buy Z, then they can either trade it in to their carrier for a supported device or do without.
Of course, if you already have a "wild west" of anything-goes BYOD, trying to suddenly tighten the reigns is not going to go over well. Might want to consider allowing all current devices, while restricting future devices. Again, communication before users show up at your desk with an unsupported device is key.

If you look at the pilot (http://education.fcps.org/chs/sites/default/files/Pilot%20Reg%20BYOD%20FAQ%2001.23.13.pdf), you will see that BYOD in FCPS is doomed to fail. There is no mandate to use a device, but kids can use them if they feel it will work. That means that devices can be used throughout the day basically for any purpose.
With no mandated software or apps, there is no control as to how the kids will utilize the devices. Teachers are not equipped to provide instruction on the numerous devices out there.

In other words, lets go back to the mainframe days of the 70s and before when the IT Overlords controlled everything. Users weren't able to do anything bad, but they weren't able to do much good either. And any changes to the systems could only happen after a minimum of 3 months of Change Control meetings and sign-offs from 35 or more people. Keep dreaming.